[Cryptech Tech] About the TRNG

Joachim Strömbergson joachim at secworks.se
Wed Jan 20 09:31:27 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Benedikt Stockebrand wrote:
> Hi Jacob and list,
> 
> sorry for the long delay (again), but anyway:
> 
> Jacob <jacob at edamaker.com> writes:
> 
>> I fully understand the trust gained by having a custom made
>> external analog TRNG as we do here, but wouldn't be better to XOR
>> the bitstream received from our generator with the one embedded in
>> the CPU(*)?

Having something that we don't have source code to bypass the whole TRNG
chain and influence the final random number result is a no-no, at least
to me. Using it as a third entropy source is ok.

The RNG in the CPU will also not provide nearly the same bitrate as the
CSPRNG does so the XOR:ing would have to be done a bit more complex than
a simple gate. Otherwise you would risk XOR:ing with the same value
multiple times.

To me the basic question is if we would gain anything, and what the cost
would be to get that? My gut feeling is that the answer is not much and
too much work.


> The downside of such a setup is that you need to put some additional 
> effort into testing it; you can't simply run any sensible tests on
> the XORed bitstream, so you need another way to make sure you detect
> a hardware failure on the TRNG.

The plan is to have on-line monitors for each entropy source that can
detect at least severe brokenness. This would allow the system to
disable broken entropy source hardware.


> This actually brings back a couple thoughts I've come up with
> following a discussion with Basil and Fredrik in Stockholm some time
> ago.  Basil reasoned there that even if the TRNG breaks there are use
> cases where we should still provide "the best (pseudo) random output
> we can deliver at that point", referring to some sort of high
> reliability scenario like an in-flight failure aboard an aircraft.

As long as we the output of the CSPRNG is ok, running without reseeding
is possible for a pretty long time (which can be adjusted). If the
CSPRNG generated bad random values, we should stop hard.


> Or put another way: When do most people replace a broken redundant
> power supply in a server? When the other one fails as well.

;-) True.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJWn1PvAAoJEF3cfFQkIuyNTM4P/1dfFDVxjGyC4MeRu6NBsnqq
fvRxDG/0ua5kzJK/WIwGJIA8Gbapptxb2on4K8trmYphChmq07BpPclcKfoSDdNe
NfCXr/h2+T7qxJ/hWsE+TFbkrQI0JNCcTGvlztefnfacWWpsexYGEMaJ40NbFVmi
coCBIkVeAY1i+8bxYTb/joCuKVAVoLIxAnvwxOAOiGMI9MkbDxsyLKj1JHsJ8ICN
TOlYwZc21Xr+wTjnugETifR4bbmdxDz9KBwMWJDJ0YXnnJmxff4UgV38e2k0c5y3
zmtRshjgMDwcEmm0xnL+pVoqkLDZ2tSakOB82fL3QSBZAC84DVsRvjP51Xt3SdPk
4ohDj+lKKC/Zr4zyqPLRPYMpUiTMDdZl+q6cKvASamXCr9CIah2txBpfPW8zQ338
rjyypPtPIZHaQPBfgGqHjQCli5f16CnBP6WFbwzxsPItSY4flnNe+KC+AbksWGcI
OizQVaTiTyzjpp2FOP3+wyA8pI1TalD6NOIFVXXb9piVChc5r5v2xBrYOb4Eksb6
qhjW33Mv1JQCmoffKmW41jfWq+iBZ9st64YCFRXi9Xi1Qmh1JFM1obet1eZca/te
Q0JTmFfe3186UNQWCiblmMKufXR2bQDP5kNeJ5xrz9WGK5GZdSxdt3aS0MODqXla
n9E/bWUAH80hQNovj6Sa
=XmjB
-----END PGP SIGNATURE-----


More information about the Tech mailing list